GDPR Compliance

The European Union's General Data Protection Regulation (GDPR) is a comprehensive legal framework focused on data security and privacy. From an organizational standpoint, the GDPR lays down the ground rules for collecting personal data from European Union (EU) data subjects, securing that data through its entire life cycle, establishing and enforcing accountability for the processing of personal data, and setting up countermeasures in the event of a data breach.  

From now on, all businesses that process the personal data of EU data subjects will have to abide by the GDPRregardless of where their business operates. If a business is found to be non-compliant, it will face a penalty of up to 20 million or four percent of their global turnover (whichever is higher)

With a growing number of businesses across the globe embracing the use of mobile devices to improve employee productivity, enterprise mobility management (EMM) will play an integral part in helping organizations comply with the GDPR by ensuring the security and privacy of mobile data.

The following table shows how Mobile Device Manager Plus helps you with the GDPR:

GDPR Article Number Article Description How Mobile Device Manager Plus(MDMP) helps?
5.1.f

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures ("integrity and confidentiality").

Gain visibility into mobile users trying to access your Exchange server, and restrict them from accessing any personal data.

25.2 (i) The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage, and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

Segregate personal and corporate workspaces on managed mobile devices. Ensure that sensitive business data is secured within the corporate workspace. 

  • For personal devices of end users, the organization will only have access to that device's corporate workspace.
  • At any point, end users can remove their personal devices from under the management of Mobile Device Manager Plus. However, once a device is unenrolled, it can no longer access business services. Also, all personal data
  • pertaining to that user's device will be removed from the Mobile Device Manager Plus (MDMP) server except the user name, which is required for auditing purposes.

     

30

Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities, purpose of processing, description of categories of data, security measures, comprehensive data flow map, under its responsibility.

Maintain and view a record of all processing activities carried out using the Mobile Device Manager Plus server.
32.1.a

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data.

Encrypt sensitive business information, such as customers' personal data, stored on mobile devices used by your employees.

32.1.d (iv)

A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Receive periodic notifications on whether the mobile devices managed by your organization are still compliant with the corporate policies assigned to them using Mobile Device Manager Plus.

32.2 In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.

Prevent data loss and unauthorized data access by:

  • Restricting data sharing between managed and unmanaged apps on a mobile device. Also, blacklist apps with security vulnerabilities.
  • Restricting unauthorized data transfer through USB, Wi-Fi, Bluetooth, and AirDrop. 
  • Restricting data backups to third-party cloud services.
  • Securely distributing business sensitive documents from the Mobile Device Manager Plus server to managed mobile devices. 
  • Routing mobile network traffic through secure proxy and VPN channels.
  • Setting alerts in case a device doesn't check in with the Mobile Device Manager Plus server over a predefined period of time.
  • Remotely wiping sensitive data off of misplaced, lost, and stolen devices.
  • Detecting and restricting jailbroken and rooted devices.

     

32.4 The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

Configure role-based access to ensure that authorized personnel using the Mobile Device Manager Plus server can: 

  • Carry out only the specific processing activities assigned to them.
  • View and manage only the devices that are assigned to them.